diff options
| author | Claude Paroz <claude@2xlibre.net> | 2014-03-20 16:50:50 +0100 |
|---|---|---|
| committer | Claude Paroz <claude@2xlibre.net> | 2014-03-22 11:07:27 +0100 |
| commit | d1503afd66ca8f2f8d3819ba8a60727e0ee66cec (patch) | |
| tree | eb704add3a7db31d3f0e3e107fe693aef331ee67 /docs/ref/utils.txt | |
| parent | c8c2d60614c614174ef30f5bc69601264713a8ef (diff) | |
[1.6.x] Improved strip_tags and clarified documentation
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
Backport of 6ca6c36f8 from master.
Diffstat (limited to 'docs/ref/utils.txt')
| -rw-r--r-- | docs/ref/utils.txt | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt index c75f38566a..107f6fd591 100644 --- a/docs/ref/utils.txt +++ b/docs/ref/utils.txt @@ -616,17 +616,23 @@ escaping HTML. .. function:: strip_tags(value) - Removes anything that looks like an html tag from the string, that is - anything contained within ``<>``. + Tries to remove anything that looks like an HTML tag from the string, that + is anything contained within ``<>``. + Absolutely NO guaranty is provided about the resulting string being entirely + HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without + escaping it first, for example with :func:`~django.utils.html.escape`. For example:: strip_tags(value) - If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the - return value will be ``"Joel is a slug"``. Note that ``strip_tags`` result - may still contain unsafe HTML content, so you might use - :func:`~django.utils.html.escape` to make it a safe string. + If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` + the return value will be ``"Joel is a slug"``. + + If you are looking for a more robust solution, take a look at the `bleach`_ + Python library. + + .. _bleach: https://pypi.python.org/pypi/bleach .. versionchanged:: 1.6 |
